Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use one or two TCP/UDP ports for two different sources of Syslog if I want them in separate sourcetypes

kashyap2702
New Member
‎08-30-2017 05:01 AM

In my app, I want Syslog from two different sources in two different sourcetypes (since they both are of different types). I have two options for this:
- enable two ports and assign different sourcetypes to both
- collect them on single port and assign different sourcetypes using regex (will require much analysis of logs)

What is the recommended approach ?

Thanks,
Kashyap

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2017 11:12 AM

The best practice approach for syslog collection is to send your log data to a syslog server, apply proper policies in syslog server to write to separate files/folder and use a Universal Forwarder on the syslog server to process the log files the splunky way.

Note that if you send syslog to a Splunk listener, you will lose data every time you have to restart Splunk, e.g. to apply configuration changes. Plus, as you are just finding out, you have to have a separate port for each sourcetype, which gets messy quickly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-04-2017 10:31 AM

Always use distinct (in this case 2) ports. Then you can debug problems from the outside using OS tools, too.
If you are stuck using a single port then you should use this project and help contribute to the auto-sourcetypeing RegEx list:
https://github.com/splunk/splunk-connect-for-syslog/wiki

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2017 11:12 AM

The best practice approach for syslog collection is to send your log data to a syslog server, apply proper policies in syslog server to write to separate files/folder and use a Universal Forwarder on the syslog server to process the log files the splunky way.

Note that if you send syslog to a Splunk listener, you will lose data every time you have to restart Splunk, e.g. to apply configuration changes. Plus, as you are just finding out, you have to have a separate port for each sourcetype, which gets messy quickly.

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎08-30-2017 07:28 AM

Hi kashyap2702,
if you can I'd prefer the first.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...